# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=shadow
pkgver=4.14.2
pkgrel=0
pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)"
url="https://github.com/shadow-maint/shadow"
arch="all"
license="BSD-3-Clause"
options="suid setcap"
makedepends="linux-pam-dev libbsd-dev libcap-dev cmd:setcap"
install="$pkgname.post-upgrade"
subpackages="
	$pkgname-dbg
	$pkgname-dev
	$pkgname-libs
	$pkgname-login
	$pkgname-login-doc:_login_doc:noarch
	$pkgname-doc
	$pkgname-conv
	$pkgname-subids
	"
source="https://github.com/shadow-maint/shadow/releases/download/$pkgver/shadow-$pkgver.tar.xz
	fix-undefined-reference.patch
	useradd-defaults.patch
	chsh.pamd
	shadow-utils.pamd
	"

# secfixes:
#   4.13-r4:
#     - CVE-2023-29383
#   4.5-r0:
#     - CVE-2017-12424
#   4.2.1-r11:
#     - CVE-2017-2616
#   4.2.1-r7:
#     - CVE-2016-6252

# login utils included in subpackage shadow-login.
_login_cmds='faillog lastlog login newgrp nologin sg su'

build() {
	./configure \
		--build=$CBUILD \
		--host=$CHOST \
		--target=$CTARGET \
		--prefix=/usr \
		--sysconfdir=/etc \
		--mandir=/usr/share/man \
		--localstatedir=/var \
		--disable-account-tools-setuid \
		--disable-nls \
		--enable-lastlog \
		--without-audit \
		--with-libpam \
		--without-selinux \
		--without-acl \
		--without-attr \
		--without-tcb \
		--with-yescrypt \
		--without-nscd \
		--without-group-name-max-length \
		--with-fcaps
	make
}

check() {
	make check
}

package() {
	make DESTDIR="$pkgdir" install
	make -C man DESTDIR="$pkgdir" install-man

	# Do not install shipped pam.d.
	rm "$pkgdir"/etc/pam.d/*

	# Config uses "--disable-account-tools-setuid" so most binaries are not pam aware
	# Add shadow-utils.pam and link only required configs
	install -m644 "$srcdir"/shadow-utils.pamd "$pkgdir"/etc/pam.d/shadow-utils
	for pam_aware in groupmems chpasswd chfn newusers; do
		ln -s shadow-utils "$pkgdir"/etc/pam.d/"$pam_aware";
	done

	install -m644 "$srcdir"/chsh.pamd "$pkgdir"/etc/pam.d/chsh

	# passwd, login and su should work fine with 'linux-pam' config

	cd "$pkgdir"

	# Avoid conlict with coreutils-doc package.
	rm usr/share/man/man1/groups.*

	# Avoid conflict with man-pages package.
	rm usr/share/man/man3/getspnam.3*
	rm usr/share/man/man5/passwd.5*

	# /etc/login.defs is not very useful - replace it with an *almost* blank file.
	rm etc/login.defs
	echo "USERGROUPS_ENAB yes" > etc/login.defs

	# Used e.g. for unprivileged LXC containers.
	install -m644 /dev/null etc/subuid
	install -m644 /dev/null etc/subgid
}

login() {
	pkgdesc="Login utils from shadow package: ${_login_cmds// /, }"
	# Commands in conflict with util-linux-login: newgrp login nologin su
	provides="login-utils"
	provider_priority=10  # lowest (other provider is util-linux-login)
	replaces="$pkgname"  # for backward compatibility (Alpine <3.16)

	cd "$pkgdir"

	local cmd dir
	for cmd in $_login_cmds; do
		for dir in bin sbin usr/bin usr/sbin; do
			if [ -e $dir/$cmd ] || [ -L $dir/$cmd ]; then
				amove $dir/$cmd
				continue 2
			fi
		done
		error "file $cmd not found"
		return 1
	done
}

_login_doc() {
	pkgdesc="Login utils from shadow package (documentation)"
	depends="!util-linux-login-doc"
	replaces="$pkgname-doc"  # for backward compatibility (Alpine <3.16)
	install_if="docs $pkgname-login=$pkgver-r$pkgrel"

	local cmd; for cmd in $_login_cmds; do
		amove usr/share/man/man*/$cmd.*
	done

	find "$subpkgdir"/usr/share/man -type f ! -name "*.gz" \
		-exec gzip -9 {} \;
}

conv() {
	pkgdesc="Utilities for converting to and from shadow passwords and groups"
	replaces="$pkgname"  # for backward compatibility

	local i; for i in pwconv pwunconv grpconv grpunconv; do
		amove usr/sbin/$i
	done
}

subids() {
	pkgdesc="Utilities for using subordinate UIDs and GIDs"
	depends=""
	provides="$pkgname-uidmap=$pkgver-r$pkgrel"  # for backward compatibility (Alpine <3.16)

	amove bin/getsubids
	amove usr/bin/new*idmap
	amove etc/subuid
	amove etc/subgid
}

sha512sums="
b417dbe0fbbeced1022e64efe9dcd8b41d14779c45163e6de63891ac63f837d43f3e559f99f884099aa45282299ceb4dcb9fd29d21c9925687ff8462fe6ead2f  shadow-4.14.2.tar.xz
0afe8754c5ded0c377711ed57c0f7020b9cbf6c5eecaca2a5f89a54bdb386d483ce1e7c5f5e1eb96a068aac08bc6b5f2b41c74021b0b77e53ae6ea0e6fe5cfe8  fix-undefined-reference.patch
f3da7c0508a65d52c2d3cb82328848f4e45648c27aa57af5866f7e41f9a509900075f2de29b06e13c125640d684894f8cff8f31ef39df984574972a9d569a412  useradd-defaults.patch
3bdad54ebb710bad43417b43f696d5d5c662c9f48e9feab590e307edafbaa3533d43e750d44c76ec154666822f30552c9b906ee1cfd935ef7cea717e8c5366c4  chsh.pamd
351c4930ef6c822bdc3363e7aca0a2b300d39cd9cfe42a220bf2090a4dbfd20565d5c7415602852cdb36966f37640c51a18a409c4a4dfa8f7c7095040e45760d  shadow-utils.pamd
"
